GUJARAT TECHNOLOGICAL UNIVERSITY

INTERNATIONAL INNOVATIVE UNIVERSITY

ESTABLISHED BY AN ACT OF GOVERNMENT OF
GUJARAT.

Computer Science and Engineering

(CSE)

Digital Forensics (3170725)

BE Semester-VII

LAB MANUAL

Dev Golwala
Enrollment No.: 210220131084

Department of Computer Science & Engineering

Government Engineering College
Katpur-384265
Patan
 Government Engineering College, Patan
Computer Science and Engineering

CERTIFICATE

This is to certify that

Mr./Ms. Enrollment
No. of B.E. Semester VII Computer Science and
Engineering of this Institute (GTU Code: 022) has satisfactorily completed the
Practical work for the subject Digital Forensics (3170725) for the academic
year 2024-25.

Place:

Date:

Name and Sign of Faculty member Head of the Department

 LIST OF EXPERIMENTS

1 To Study about Computer & Digital Forensics. List possible System and Third party
software tool s available forensic investigation.
2. Browser history & Digital Forensics Investigation.
A. Find and state the importance of browser history in digital forensic investigation. Find
out case studies where browser history is used during digital forensics investigation
and prepare a brief summary of this case study.
B. Install Browser History Capturer and Browser History Viewer on your system and
write installation steps. Explore functionalities of tool with example and discuss them
with screenshots in your practical report.

3. Install LastActivityView, ProduKey, UninstallView, OpenedFilesView, SearchMyFiles,

WinLogOnView, and SysExporter on your system. Write brief summary of each tool. Explore
functionalities of these tools and discuss their usage with example with screenshots in your
practical report.
4 Install NMap and Network miner, Wireshark on your system write installation steps of each
network tool. Discuss the functionalities of these tools with screenshots in your practical
report. Explain use of these tools in digital forensics.
5. Install MAGNET RAM Capture, MAGNET Encrypted Disk Detector, and MAGNET Web
Page Saver on your system and discuss steps of installation in your practical report. Discuss
the functionalities of these tools with screenshots in your report. Explain the use of these tools
in digital forensics.
6 Install Volatility on your system and Write installation steps with screenshots in your
practical report. Discuss the functionalities of this tool.
7. Computer Operating system Artifacts:

Finding deleted data, hibernating files, examining window registry, recycle bin operation,
understanding of metadata, Restore points and shadow copies.
8. Demonstrate COFEE Tool.
9 Comparison of two Files for forensics investigation by Compare IT software.
10 Forensic image of the hard drive using EnCase Forensics.
 Index
PR Faculty
CO TITLE Page No Start Date End Date
NO sign
01
1 CO1 Experiment -1

04
2 CO4 Experiment -2

13
3 CO4 Experiment -3

21
4 CO4 Experiment -4

30
5 CO4 Experiment -5

38
6 CO4 Experiment -6

41
7 CO4 Experiment -7

47
8 CO4 Experiment -8

51
9 CO4 Experiment -9

54
10 CO4 Experiment -10

Course Outcomes:
CO-1 Describe Forensic science, Digital Forensic, motives and modus operandi
behind cyber-attacks.
CO-2 Recall various technical concepts of digital computer system.
CO-3 Interpret the cyber pieces of evidence, Digital forensic process model and their
legal perspective
CO-4 Demonstrate various forensic tools to investigate the cybercrime and to
identify the digital pieces of evidence.
CO-5 Analyze the digital evidence used to commit cyber offences.
 RUBRICS FOR LABORATORY PRACTICALS ASSESSMENT

Subject Name : Digital Forensics

Subject Code : 3170725

Semester : 7

Term : Odd Term 2024

Term Start Date : End Date:

Rubrics Criteria Marks Points Distribution
ID

RB1 Submission 10 (1 marks On Time Thereafter in given deadline (50 % )

Regularity for each (100 %) Or 0
exp.)

RB2 Assessment based on 10 (two

presentation of work progressive
evaluation - As per Table 1.
5 marks
each)

Table 1.
RB2 1. Two presentations will be conducted in whole semester. Each
Presentation will carry 5 marks.
2. First presentation will be conducted at the mid of semester which cover
experiments no 1 to 5.second at the end of semester which cover
experiments no 6 to 10.
3. Two students in a group will work on all experiment throughout the
semester and present the same during the evaluation.
4. Points mentioned in student presentation evaluations sheet will be
considered during the presentation to carry out progressive
assessment of 5 marks in each phase.
 Student Presentation
Evaluations Presentation- I: / /2024
Presentation- II: / /2024
Weights 100 % 75 % 50% 25 % AB
=0 To
tal
1 Organization of Information Information Most of information sequenceof
presentation (1) presented as presented inlogical presented in information jumpy
interesting story in sequence; easy to sequence
logical,easy to follow
follow sequence
P-1
P-2

2 Background Material Material Material Material not

Content and sufficient for sufficient for sufficient forclear clearly related to
clear clear understanding topic Uses
supportive understanding understanding Uses graphics that graphics that
stuff (1) AND and effectively relate to text and rarely
exceptionally presented. Uses presentation support text and
presented. Uses graphics that presentation
graphics that explain text and
explain presentation
and reinforce
text
andpresentation
P-1
P-2

3 Knowledge (1) Outstanding Admirable Average Inadequate

P-1
P-2

4 Presentation Refers to slides to Refers to slides to Refers to slides to Reads most

Skills make points; make points; eye make points; slides; no or just
(Eye contact fully engaged contact majority of occasional eye occasional eye
and speaking with. time. Voice is contact, Voice contact,
Correct, clear with few fluctuates from low Mumbling
ability)(2)
precise , Voice fluctuations to
is clear clear.
P-1
P-2

Student Signature:
 LABORATORY EXPERIMENTS(Practicals) ASSESSMENT

SUBJECT NAME: Digital Forensics

SUBJECT CODE: 3170725
TERM: Odd Term 2024
Enrolment No. Name:
Semester:
Class: Batch:

Sr.No Exp .No CO RB1 RB2 Total

1 1 1

2 2 4

3 3 4

4 4 4

5 5 4

6 6 4

7 7 4

8 8 4

9 9 4

10 10 4

TOTAL

Student Signature:
 Experiment 1:
AIM: To Study about Computer & Digital Forensics. List available system and third-party
software tools for forensic investigation.

Competency and Practical Skills: Basic understanding of digital forensic and digital forensic tools.

Relevant CO: CO1

Objectives: To gain knowledge about computer and digital forensic and its tools.

Equipment/Instruments: Computer, digital forensic softwares.

The aim of this experiment is to introduce students to the field of computer and digital forensics and
to provide an overview of the various system and third-party software tools commonly used in forensic
investigations.

Computer and digital forensics is the science of collecting, analyzing, and preserving electronic
evidence in a way that is suitable for presentation in a court of law. This field is crucial for investigating
cybercrimes, data breaches, and other digital incidents. To perform effective digital forensics,
investigators rely on a range of tools and software, both built into operating systems and developed by
third-party vendors.

Tools and Software:

 System Tools:

 Operating System Logs: Most computer operating systems, such as Windows, macOS, and Linux,
maintain various logs that record system activities, including login attempts, file access, and system
events. These logs can be instrumental in forensic investigations.
 Command-Line Tools: Operating systems provide command-line utilities like dd, ddrescue, and file
that are used to create disk images, copy data, and identify file types, respectively.
 Registry Editors: Windows-based systems have registry editors, such as regedit, to analyze and
recover information from the Windows Registry.

 Third-Party Software Tools:

 EnCase Forensic: A popular digital forensics tool that provides comprehensive analysis and data
recovery capabilities. It is used to acquire, analyze, and report on digital evidence.
 Autopsy: An open-source digital forensics platform that includes various modules for file analysis,
registry analysis, keyword searching, and web artifact analysis.
 The Sleuth Kit (TSK): An open-source library and collection of command-line digital forensic tools
for analyzing disk images.
 AccessData FTK (Forensic Toolkit): FTK is a commercial forensic software suite known for its
advanced search and analysis capabilities.

0
 X-Ways Forensics: Another commercial forensic tool that offers disk imaging, data recovery, and
comprehensive analysis functions.
 Volatility: An open-source memory forensics framework used to analyze the volatile memory of a
computer. It's valuable for investigating malware and advanced persistent threats (APTs).
 Wireshark: A widely-used network protocol analyzer that can capture and examine network traffic,
which is essential for network forensics.
 Cellebrite UFED: A mobile forensics tool for extracting and analyzing data from smartphones and
other mobile devices.

1. What is Digital Forensics?

Digital forensics is the process of collecting, preserving, analyzing, and presenting electronic evidence
in legal proceedings. It involves investigating digital devices and data to uncover evidence of
cybercrimes, data breaches, or other malicious activities.

2. What is computer Forensics?

Computer forensics is a subset of digital forensics that focuses specifically on the examination of
computer systems and related data. It deals with the analysis of computer hardware, software,
and storage devices to identify, recover, and preserve digital evidence.

3. Differentiate digital forensics and computer forensic.

Digital forensics is a broader field encompassing the investigation of all digital devices and data,
including computers. Computer forensics, on the other hand, is a specialized branch of digital forensics
that concentrates solely on computer systems. Digital forensics also includes areas like mobile device
forensics, network forensics, and multimedia forensics, whereas computer forensics is more focused on
traditional computer hardware and software.

4. What Can Digital Forensics Do?

Digital forensics can:
 Recover deleted or hidden files.
 Analyze system and application logs.
 Examine email and messaging communications.
 Identify and track the source of cyberattacks.
 Authenticate and validate digital evidence.
 Investigate intellectual property theft.
 Assist in legal and criminal investigations.

5. What Is Anti-Forensics?
Anti-forensics refers to techniques and tools used to thwart or undermine digital forensic investigations.
This can involve data destruction, encryption, file hiding, and other tactics to make it difficult for
forensic investigators to retrieve and analyze evidence.

0
6. List digital forensic, system and third-party tools with reference.
List of Digital Forensic, System, and Third-Party Tools with Reference:

 Digital Forensic Tools:

 Encase Forensic: Encase
 Autopsy: Autopsy
 The Sleuth Kit (TSK): TSK
 Volatility: Volatility
 Wireshark: Wireshark

 System Tools:
 Operating System Logs: Built into the operating system (e.g., Windows Event
Viewer, macOS Console).
 Command-Line Tools: Available in the command prompt or terminal.
 Registry Editors: e.g., regedit for Windows.

 Third-Party Tools:
 AccessData FTK: AccessData FTK
 X-Ways Forensics: X-Ways Forensics
 Cellebrite UFED: Cellebrite
 PhotoRec: PhotoRec
 Scalpel: Scalpel

0
 Experiment 2:
AIM: Browser history & Digital Forensics Investigation.

Competency and Practical Skills: To demonstrate the installation of available software tool and
use it.

Relevant CO: CO4

Objectives: To learns how different tool available are used to find browser history logs, capture
the browser history from different browser used in the computer system and interpret the
collected information for finding fact.

Equipment/Instruments: computer system, software tool (browser history capture tool).

Browser history is a critical source of digital evidence in forensic investigations for several reasons:

 Activity Tracking: Browser history records a user's online activities, including visited websites,
search queries, and timestamps. This provides a comprehensive record of the user's online behavior.
 Evidence of Intent: Browser history can provide insights into a user's intent, interests, and activities.
It can reveal searches for suspicious or illegal content, which may be relevant to a criminal
investigation.
 Timestamps: The timestamps associated with each web page visit can help establish a timeline of a
suspect's online actions, which is valuable for reconstructing events in a digital investigation.
 Digital Footprints: Browser history can leave digital footprints of visits to illicit websites, social
media profiles, or communication platforms. These footprints can link suspects to criminal activities.
 Communication and Contacts: Browser history may reveal email, social media, or chat services
used, potentially leading to the discovery of communication with other suspects or evidence of
conspiracies.

 Case Study: The Importance of Browser History in Digital Forensics

Case Title: United States v. Ross Ulbricht (Silk Road Case)

 Summary:

The United States v. Ross Ulbricht is a landmark case involving the Silk Road, an online
marketplace for illegal goods and services. Ross Ulbricht, operating under the pseudonym "Dread
Pirate Roberts," was accused of creating and running the Silk Road.

0
  Importance of Browser History:

Browser history played a significant role in this case. Investigators analyzed Ulbricht's browsing
history to establish a connection between his online activities and the Silk Road. They found that
Ulbricht had accessed the Silk Road administration panel on multiple occasions. This browser
history evidence linked him directly to the operation of the illicit marketplace, demonstrating his
involvement.

 Outcome:

Ross Ulbricht was arrested and subsequently convicted of multiple charges, including conspiracy to
commit money laundering, computer hacking, and conspiracy to traffic narcotics. He received a life
sentence without the possibility of parole. Browser history, among other digital evidence, played a
crucial role in the investigation and conviction of Ulbricht.

This case illustrates the importance of browser history in digital forensics by showing how it can
provide critical evidence to link suspects to criminal activities and establish their guilt in court.

 Installation And History capturing steps for Browsing History capture Application:

Setp-1: Go to the website https://www.foxtonforensics.com/browser-history-capturer/download .

0
Step-2 Click on the Download button.

Step-3 Enter Your name and email-id form Download Link.

Step-4 The Zip Has been Downloaded then Unzip that file to in Your System.

Step-5 On that File Click on Setpup.exe file to install the app this popup will be display.

0
Step-6 Click on next button.

Step-7 Click on I Agree and Next button.

Step-8 Select the folder for installation and Click Next button and Installation will be start.

Step-9 Launch The App in Your System.

Step-10 The Will Look Like this.

0
Step-11 Apply the filter to get the history from right hand side filter

menu. Select the Date, time and Web Browser, Types and click on filter.

Step-12 After that click on the File and Capture History. And Below View will be shown.
Step-13 Select the Capture History form this computer and click on next button.

Step-14 Select the User Profile, Browsers, data and Select the Destination folder and Click on Capture.

Step-15 It will start capturing the History of the browser.

0
Step-16 Final Output of App.

 Functionalities of tool:-

 It Shows the Bookmarks Form the Particular Browser.

1
 It Also Shows the Browser Settings.

 It Shows the Cache Images.

1
 It Shows the Detailed View according to the time.

1
 Experiment 3:
AIM: Install Last Activity View, ProduKey, UninstallView, OpenedFilesView, SearchMyFiles,
WinLogOnView, and SysExporter on your system. Write brief summary of each tool. Explore
functionalities of these tools and discuss their usage with example with screenshots in your
practical report.

Competency and Practical Skills: To demonstrate the installation of available system &
software tool and use it.

Relevant CO: CO4

Objectives: To study different utilities and system tool available for targeted operating system
and use the same for finding useful insights from the system.

Equipment/Instruments: computer system, software tool.

 Last Activity View: -

 Description: LastActivityView is a tool for Windows operating system that collects information from
various sources on a running system, and displays a log of actions made by the user and events
occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file,
opening open/save dialog-box, Opening file/folder from Explorer or other software, software
installation, system shutdown/start, application or system crash, network connection/disconnection and
more...
 Steps:
 Download and Launch: Download LastActivityView from the NirSoft website and unzip the
downloaded file. Run the executable (LastActivityView.exe).
 View Activity Log: The tool displays a list of activities in its main window. You can see the event
time, activity type, description, filename, and more.

1
 Functionalities:
 Monitoring Activity: LastActivityView records a wide range of user activities, including program
execution, file access, website visits, and more. It timestamps each activity, allowing you to track the
sequence of events.
 Filtering and Sorting: The tool provides filtering and sorting options, allowing you to focus on
specific activities or timeframes. You can filter by date, event type, file type, and more.
 Exporting Data: You can export the activity logs to various file formats, such as CSV, HTML,
XML, or plain text. This makes it easy to save and share the data for further analysis.
 Quick Search: LastActivityView offers a search function that lets you find specific activities or
keywords within the logs.

 ProduKey: -

 Description: ProduKey is a small utility that displays the ProductID and the CD-Key of Microsoft
Office (Microsoft Office 2003, Microsoft Office 2007), Windows (Including Windows 8/7/Vista),
Exchange Server, and SQL Server installed on your computer. You can view this information for
your current running operating system, or for another operating system/computer - by using
command-line options. This utility can be useful if you lost the product key of your
Windows/Office, and you want to reinstall it on your computer.

 Steps : Download and Launch: Download ProduKey from the NirSoft website.Extract the
downloaded ZIP file to a folder on your computer.Run the ProduKey.exe executable.

 Functionalities:
 View Product Keys: Upon launching ProduKey, it will scan your system for installed Microsoft
products and display the product keys in its interface.The tool provides information such as
Product Name, Product ID, Product Key, and the installation path of the product.
 Export Product Key Information: ProduKey allows you to save the product key information to a
text file, HTML file, CSV file, or other formats.To export the data, select the desired product
keys from the list, and then use the "File" menu to choose the export format.

1
 UninstallView :-

 Description: UninstallView is a tool for Windows that collects information about all programs
installed on your system and displays the details of the installed programs in one table. You can use
it to get installed programs information for your local system, for remote computer on your
network, and for external hard-drive plugged to your computer. It also allows you to easily uninstall
a software on your local computer and remote computer (Including quiet uninstall if the installer
supports it). Starting from version 1.30, you can also view and uninstall Windows Apps if the 'Load
Windows Apps' option is turned on.

 Steps: Download and Launch: Start by downloading UninstallView from the NirSoft website. As
mentioned earlier, it's a portable application, so there's no installation required. Extract the
downloaded file and run the executable.

 Functionalities:

 List of Installed Programs: UninstallView generates a list of all the programs installed on your
Windows system, including both 32-bit and 64-bit applications.
 Program Details: For each installed program, it displays essential information such as the
program name, publisher, version, installation date, installation folder, and more.
 Uninstall Functionality: UninstallView allows you to initiate the uninstallation of selected
programs directly from the tool. This can help you easily remove unwanted or outdated software.
 Filtering and Sorting: You can filter and sort the list of installed programs based on various
criteria, making it easy to find specific applications.
 Exporting Data: UninstallView allows you to export the list of installed programs to various
file formats (e.g., HTML, XML, CSV) for further analysis or reporting.

1
 OpenedFilesView: -

 Description: OpenedFilesView displays the list of all opened files on your system. For each opened
file, additional information is displayed: handle value, read/write/delete access, file position, the
process that opened the file, and more...Optionally, you can also close one or more opened files, or
close the process that opened these files. This utility is especially useful if you try to delete/move/open
a file and you get one of the following error messages:
 Cannot delete [filename]: There has been a sharing violation. The source or destination file may
be in use.
 Cannot delete [filename]: It is being used by another person or program. Close any programs that
might be using the file and try again.

 Steps :- Download and Launch: Download OpenedFilesView from the NirSoft website and unzip the
downloaded file. Run the executable to launch the program.

 Functionalities:
 View Open Files: OpenedFilesView provides a list of files that are currently open or in use. The
list includes information about the file's path, process name, process ID (PID), and more.
 Sort and Filter: You can sort the list of open files by various criteria, such as the file name,
process name, file path, and more. Filtering options allow you to focus on specific files or
processes.
 Export Data: OpenedFilesView enables you to export the list of open files to various file
formats (e.g., CSV, HTML, XML) for further analysis or documentation.
 Close Files: While OpenedFilesView is primarily a monitoring tool, it can also be used to
forcibly close open files in certain cases. However, caution should be exercised when closing
files, as it can impact running applications.

1
 SearchMyFiles :-

 Description: - SearchMyFiles is an alternative to the standard "Search For Files And Folders"
module of Windows. It allows you to easily search files in your system by wildcard, by last
modified/created/last accessed time, by file attributes, by file content (text or binary search), and by
the file size. SearchMyFiles allows you to make a very accurate search that cannot be done with
Windows search. For Example: You can search all files created in the last 10 minutes with size
between 500 and 700 bytes.
 After you made a search, you can select one or more files, and save the list into text/html/csv/xml
file, or copy the list to the clipboard.

 Steps :- Download and Launch: Start by downloading SearchMyFiles from the official NirSoft
website. After downloading, extract the ZIP file and run the executable.
  Functionalities:
 Advanced File Searching: SearchMyFiles allows you to perform advanced searches based on
various criteria, including file content, file name, file extension, size, modification date, and
more.
 Search Filters: You can use filters to narrow down your search results, making it easier to find
specific files or groups of files.
 Save and Load Search Profiles: You can save your search settings as profiles for future use,
which is helpful for recurring searches.
 Multiple Search Modes: The tool offers different search modes, such as quick search, wildcards,
regular expressions, and more, to suit your search needs.
 Search Subfolders: SearchMyFiles can be configured to search within subfolders, allowing for
deep file and folder exploration.
 Search Results: Search results are displayed in a tabular format, providing detailed information
about each file, including file attributes and timestamps.
 File Management: You can perform various file operations directly from the search results, such
as copy, move, delete, or open files and folders.

 WinLogOnView :-

 Description: - WinLogOnView is a simple tool for Windows 10/8/7/Vista/2008 that analyses

the security event log of Windows operating system, and detects the date/time that users logged
on and logged off. For every time that a user log on/log off to your system, the following
information is displayed: Logon ID, User Name, Domain, Computer, Logon Time, Logoff Time,
Duration, and network address. WinLogOnView also allows you to easily export the logon
sessionsinformation to tab-delimited/comma-delimited/html/xml file.

 Steps:- Download and Launch:Download WinLogOnView from the NirSoft website. It's a
portable application, so there's no need to install it. Simply unzip the downloaded file and run the
executable (WinLogOnView.exe).

1
  Functionalities:
 View Logon and Logoff Events: Upon launching, WinLogOnView will display a list of logon
and logoff events in its main window. Each entry includes details such as the event time, user
name, workstation, domain, authentication package, and more.
 Filter and Search: You can filter the logon and logoff events by using the filter options
provided in the tool. This allows you to narrow down the list to specific users, time periods, or
other criteria.
 Export Data: WinLogOnView allows you to export the logon/logoff event data to various file
formats, including CSV, HTML, and XML. This is useful for creating reports or for sharing the
data with others.
 Generate Summary Report: The tool can generate a summary report that includes statistics
about logon and logoff events. It provides an overview of the number of logon/logoff events
and user sessions.

 SysExporter :-

 Description: - SysExporter utility allows you to grab the data stored in standard list-views, tree-views,
list boxes, combo boxes, text-boxes, and WebBrowser/HTML controls from almost any application
running on your system, and export it to text, HTML or XML file. Here's some examples for data that
you can export with SysExporter:
 The files list inside archive file (.zip, .rar, and so on) as displayed by WinZip or 7-Zip File Manager.
 The files list inside a folder.
 The event log of Windows.
 The list of emails and contacts in Outlook Express.
 The Registry values displayed in the right pane of the Registry Editor.
 The data displayed by SysInternals utilities (Registry Monitor, File Monitor, Process Explorer, and
others.)
 The text inside a standard message-box of Windows.
 The HTML inside any instance of Internet Explorer.

 Steps:- Download and Launch: Download SysExporter from the NirSoft website and unzip the
downloaded file. Run the SysExporter executable.

 Functionalities: -

 Select a Window: In the SysExporter main window, click on the "From Window" button. This
will allow you to select the window from which you want to extract data. For this example,
select the Windows Task Manager.
 Choose Control: Once you've selected the Task Manager window, the main window of
SysExporter will display a list of available controls in the selected window. Choose the control
that represents the list of running processes (usually a list view control).

1
 Select Columns: Click on the "Select Columns" button to choose which columns you want to
export. In the case of Task Manager, you can select columns like "Image Name," "PID," "CPU,"
etc.
 Export Data: After selecting the desired columns, click on the "Export Selected Items" button.
You can choose the export format and specify the output file location.

2
Experiment 4:
AIM: Install NMap and Network miner, Wire shark on your system. Write installation steps of each
network tool. Discuss the functionalities of these tools with screenshots in your practical report.
Explain use of these tools in digital forensics.

Competency and Practical Skills: To demonstrate the installation and use of available software tools.

Relevant CO: CO4

Objectives: To learn how different network tools are used in forensic for gaining insights from
the networks.

Equipment/Instruments: computer system, software tool (Network software tools).

 Nmap: - Nmap (Network Mapper) is a widely-used open-source network scanning and mapping tool
that can be installed on various operating systems, including Windows, macOS, and Linux. Here are
the installation steps for Nmap, followed by a discussion of its functionalities and its use in digital
forensics:

 Installation Steps for Nmap:

Step -1 Visit the official Nmap download page: https://nmap.org/download.html

Step-2 Download the Windows installer package (usually labeled as "Latest Stable Release" for
Windows). And Run the setup file.

Step-3 Click on the I Agree Button and Select the component and also choose the Installation location.
After that the installation has been start.
2
 Functionalities of Nmap:

Nmap is a powerful network scanning tool with various functionalities, including:

 Host Discovery: Nmap can identify live hosts on a network by sending ICMP echo requests and
analyzing responses.

 Port Scanning: It can scan for open ports on a target system, helping identify available services.

 Operating System Detection: Nmap can often determine the target system's operating system
based on its responses to various probes.

 Scriptable Scans: Nmap includes a scripting engine (Nmap Scripting Engine or NSE) that allows
users to create custom scripts for specific scanning tasks.

 Version Detection: Nmap can identify the version of software running on open ports, which can
be valuable in assessing vulnerabilities.

 Output Formats: Nmap can produce output in various formats, including text, XML, and
grepable formats, making it suitable for different applications.

2
 Use of Nmap in Digital Forensics:

In digital forensics, Nmap can be a valuable tool for several purposes:

 Network Reconnaissance: Nmap helps forensic investigators understand the structure of a

network, identify live hosts, and pinpoint potential entry points and attack vectors.
 Vulnerability Assessment: Nmap's version detection and NSE scripts can be used to identify
vulnerabilities on target systems, aiding in understanding how a system might have been
compromised.
 Evidence Collection: Nmap scans and logs can serve as evidence in digital forensic
investigations, documenting the scanning activities and findings.
 Network Mapping: Nmap can create network maps that illustrate the network's topology,
assisting investigators in understanding data flow and compromised systems.
 Log Analysis: Nmap logs can provide information about a target system's response to scanning
activities, which can be useful for understanding its configuration and potential weaknesses.

2
 Network miner:- NetworkMiner is a network analysis tool designed for Windows that can be used for
network traffic analysis, network forensics, and digital investigations. Here are the installation steps, a
discussion of its functionalities, and its use in digital forensics:

 Installation Steps for Network miner:

 Visit the official NetworkMiner website: https://www.netresec.com/?page=NetworkMiner

 Download the appropriate version of NetworkMiner (there is a free and a paid version).
 Install NetworkMiner by running the downloaded installer.
 Follow the on-screen instructions to complete the installation.

2
  Functionalities of Network miner:

 Network Packet Capture: NetworkMiner can capture and analyze network traffic, including
both incoming and outgoing data packets.
 Extracting Files: It can extract and display files (e.g., images, documents) transferred over the
network, making it useful for identifying potential evidence in digital investigations.
 Analyzing Network Sessions: NetworkMiner provides details about network sessions, including
information about connected hosts, ports, protocols, and data transfer statistics.
 OS Fingerprinting: It can perform operating system fingerprinting to determine the operating
systems of hosts on the network.
 DNS and Hostname Resolution: NetworkMiner resolves IP addresses to hostnames and
extracts domain names from DNS traffic.
 Keyword Search: You can perform keyword searches within captured network data, making it
easier to find specific information of interest.
 Export Data: NetworkMiner allows you to export extracted files, images, and other data for
further analysis or reporting.

 NetworkMiner can extract files, emails and certificates transferred over the network by parsing a
PCAP file or by sniffing traffic directly from the network.

2
 NetworkMiner showing files extracted from sniffed network traffic to disk

 Use of NetworkMiner in Digital Forensics:

 Evidence Collection: It allows forensic investigators to capture and analyze network traffic,
potentially uncovering evidence of unauthorized access, data exfiltration, or other malicious
activities.
 File and Data Recovery: NetworkMiner can extract files and data from network traffic, which
can be essential for recovering and preserving evidence.
 Intrusion Detection: It can help identify and analyze signs of network intrusions and attacks,
such as port scanning, malware communication, or exploitation attempts.
 Log Analysis: NetworkMiner can provide insights into network activities and
communications, which can be used for understanding the sequence of events during an
incident.
 Identification of Malware: By analyzing network traffic, NetworkMiner can help forensic
investigators identify the presence of malware, understand its behavior, and trace it back to its
source.
 Incident Response: In the event of a security incident or breach, NetworkMiner can assist in
understanding the extent and impact of the incident by analyzing network data.

2
 Wire shark :- Wireshark is a popular open-source network protocol analyzer that allows you to
capture and inspect network data and packets in real time. It is widely used for network analysis,
troubleshooting, and can be a valuable tool in digital forensics. Here are the installation steps, a
discussion of its functionalities, and its use in digital forensics:

 Installation Steps for Wire shark:

 Visit the official Wireshark website: https://www.wireshark.org/download.html

 Download the appropriate version of Wireshark for your operating system (Windows, macOS, or
Linux).
 Run the installer.
 Follow the on-screen instructions to complete the installation. During the installation, you may be
asked to install WinPcap (Windows) or npcap (Windows) for packet capture functionality.

 Functionalities of Wire shark:

 Packet Capture: Wireshark allows you to capture network traffic in real time from network
interfaces or read capture files saved in various formats.
 Deep Packet Inspection: It can dissect and analyze individual network packets to provide details
about the protocols, fields, and data contained within them.
 Live Traffic Analysis: Wireshark displays live network traffic, making it useful for monitoring and
troubleshooting network issues.
 Protocol Support: It supports a vast array of network protocols, allowing you to analyze data at
various levels of the OSI model.
 Display Filters: You can create custom display filters to focus on specific traffic or data types of
interest.
 Statistics: Wireshark provides statistical information on captured data, including network utilization,
protocol distribution, and more.
 Protocol Hierarchy: It presents network traffic in a hierarchical manner, showing the relationship
between various protocols and how data flows through the network.
 Export and Save: You can save capture data in multiple file formats, such as PCAP, CSV, or plain
text.

2
 Use of Wireshark in Digital Forensics:
Wireshark can be a valuable tool in digital forensics for the following purposes:

 Network Traffic Analysis: In digital forensics, Wireshark can capture and analyze network
traffic to identify patterns of suspicious or malicious behavior, such as data exfiltration,
unauthorized access, or communication with command and control servers.
 Malware Analysis: Wireshark can help forensic investigators understand how malware
communicates over the network, what data it transmits, and where it sends data. This is essential
for identifying and mitigating security incidents.
 Incident Response: During a security incident, Wireshark can assist in real-time analysis of
network traffic to identify the source of the incident, the extent of the compromise, and the
tactics used by an attacker.
 Evidence Collection: It can be used to capture and document network-related evidence that is
admissible in legal proceedings. Network packet captures can be critical in cases involving
cybercrimes or network intrusions.
 Data Recovery: Wireshark can help recover files and data transmitted over the network, which
may be critical for digital forensics investigations.

28
 Log Analysis: By analyzing network traffic, Wireshark can provide insights into communication
patterns, source and destination IP addresses, and the sequence of network events.

29
 Experiment 5:
AIM: Install MAGNET RAM Capture, MAGNET Encrypted Disk Detector, and MAGNET
Web Page Saver on your system and discuss steps of installation in your practical report. Discuss
the functionalities of these tools with screenshots in your report. Explain the use of these tools in
digital forensics.

Competency and Practical Skills: To demonstrate the installation and use of available software
tools.

Relevant CO: CO4

Objectives: To learn how different software tools are used in forensic to capture the live
moments in the computer memories.

Equipment/Instruments: computer system, software tool.

 MAGNET RAM Capture: -Magnet RAM Capture, now known as "Magnet RAM Capture 2," is a
tool developed by Magnet Forensics, a company specializing in digital forensics and investigative
solutions. It is designed for capturing the content of a computer's random-access memory (RAM) for
use in digital forensic investigations. Here are the installation steps, a discussion of its functionalities,
and its use in digital forensics:

 Installation Steps for Magnet RAM Capture:

 Visit the official Magnet Forensics website: https://www.magnetforensics.com/resources/magnet-

ram-capture/
 Download the appropriate version of Magnet RAM Capture 2 for your operating system
(Windows, macOS, or Linux).
 Follow the provided installation instructions, which usually include running the installer and
accepting the license terms.

 Functionalities of Magnet RAM Capture:

Magnet RAM Capture has several key functionalities:

 Memory Capture: It captures the content of a computer's RAM, including running processes,
network connections, open files, and other volatile data.
 Cross-Platform Support: Magnet RAM Capture 2 is available for Windows, macOS, and Linux,
allowing forensic investigators to acquire RAM data from various operating systems.
 Network Artifacts: The tool captures network artifacts, including open network connections and
active network sessions, which can be valuable for understanding network activity during an
incident.

30
 Process and Module Information: It provides details about running processes, loaded modules,
and libraries, which can help investigators understand system activities and identify potentially
malicious processes.
 File Handles: Magnet RAM Capture 2 can capture information about open files and file
handles, aiding in the investigation of file-related activities.

31
 Use of Magnet RAM Capture in Digital Forensics:

Magnet RAM Capture is a valuable tool in digital forensics for various purposes:

 Incident Response: It can be used during incident response to capture the state of a system's
RAM at a specific point in time. This allows investigators to analyze the system's memory for
signs of malicious activity, such as running malware or unauthorized processes.
 Live Memory Analysis: By acquiring live memory snapshots, forensic investigators can perform
memory analysis to identify signs of intrusion, data exfiltration, or other security incidents.
 Evidence Preservation: Memory captures serve as digital evidence, enabling investigators to
maintain a forensic record of the system's state, which can be important in legal proceedings.
 Malware Analysis: RAM captures are a valuable source of data for analyzing and understanding
the behavior of malware. Investigators can analyze memory dumps to identify how malware
operates and communicates.
 Reconstructing System State: Memory captures can help reconstruct the state of a system at the
time of an incident, providing insights into what processes were running and how the system was
used.
 Reverse Engineering: Digital forensics experts and reverse engineers can use memory captures to
uncover encryption keys, credentials, and other sensitive data.

32
 MAGNET Encrypted Disk Detector: - Magnet Encrypted Disk Detector is a tool developed by
Magnet Forensics, a company specializing in digital forensics and investigative solutions. This tool is
designed to detect encrypted volumes on a computer system, aiding forensic investigators in identifying
and accessing encrypted data. Here are the installation steps, a discussion of its functionalities, and its
use in digital forensics:

 Installation Steps for Magnet Encrypted Disk Detector:

Magnet Encrypted Disk Detector is available for free and can be downloaded from the official Magnet
Forensics website. Installation steps may vary slightly depending on the specific version and platform,
but generally, it involves these steps:

 Visit the official Magnet Forensics website: https://www.magnetforensics.com/resources/encrypted-

disk-detector/
 Download the appropriate version of Magnet Encrypted Disk Detector for your operating system
(Windows, macOS, or Linux).
 Follow the provided installation instructions, which usually include running the installer and accepting
the license terms.

 Functionalities of Magnet Encrypted Disk Detector:

Magnet Encrypted Disk Detector has the following key functionalities:

 Encrypted Volume Detection: It scans a computer system to detect the presence of encrypted
volumes, which may include encrypted hard drives, USB drives, or disk image files.
 Cross-Platform Support: Magnet Encrypted Disk Detector is available for Windows, macOS, and
Linux, making it suitable for use on a variety of operating systems.
 User-Friendly Interface: The tool provides a user-friendly interface for forensic investigators to
easily identify and access encrypted volumes.
 Detects Popular Encryption Tools: It can identify volumes encrypted using popular encryption
tools, such as BitLocker, FileVault, VeraCrypt, and more.

33
 Use of Magnet Encrypted Disk Detector in Digital Forensics:

Magnet Encrypted Disk Detector plays a significant role in digital forensics for several purposes:

 Evidence Identification: Forensic investigators can use the tool to identify encrypted volumes that
may contain critical evidence related to a case. Detecting encrypted volumes is the first step in the
process of accessing and analyzing the data they contain.
 Data Recovery: Encrypted Disk Detector helps in the identification and recovery of data stored on
encrypted volumes. Once identified, investigators can proceed to access and recover data from these
volumes.
 Forensic Imaging: In some cases, forensic experts may need to create forensic images of encrypted
volumes for preservation and analysis. The tool aids in identifying the presence of such volumes for
imaging.
 Compliance and Legal Requirements: In situations where digital evidence must be collected and
presented in a legally defensible manner, encrypted volumes may pose challenges. Encrypted Disk
Detector is useful for addressing these challenges by detecting encrypted volumes and facilitating
access.
 Password Recovery: Once an encrypted volume is identified, forensic experts can attempt to recover
passwords or encryption keys to access the data. This may involve further analysis and decryption
processes.

 MAGNET Web Page Saver :- MAGNET Web Page Saver is a tool used in digital
forensics for capturing and preserving web pages. Below are the installation steps, an
overview of its functionalities, and its use in digital forensics:

34
 Installation Steps for MAGNET Web Page Saver:

Ensure that you have a computer that meets the system requirements for MAGNET Web Page
Saver. Typically, it is compatible with Windows operating systems.

 Visit the official MAGNET Web Page Saver website:

https://www.magnetforensics.com/resources/web-page-saver/
 Download the appropriate version of MAGNET Web Page Saver for your operating system
(Windows, macOS, or Linux).
 Follow the provided installation instructions, which usually include running the installer and
accepting the license terms.

35
 Functionalities of MAGNET Web Page Saver:

MAGNET Web Page Saver is designed to assist digital forensic investigators with web page
preservation and analysis. Its key functionalities include:

 Web Page Capture:MAGNET Web Page Saver can capture web pages, including their entire
content and structure, ensuring that web pages are preserved accurately.
 Metadata Extraction:The tool extracts important metadata from captured web pages, such as
URL, date of creation, and last modification date.
 Export Options:It offers various export formats, including PDF, HTML, and proprietary formats,
making it easy to store and share preserved web pages in a suitable format.

36
  Search and Filtering:Users can search for specific web pages within their collected data and
apply filters based on various criteria, helping investigators quickly identify relevant
information.
 Reporting: MAGNET Web Page Saver can generate reports summarizing the captured web
pages and their associated metadata, making it easier to present findings in legal proceedings.

 Use in Digital Forensics:

MAGNET Web Page Saver plays a crucial role in digital forensics in the following ways:

 Preservation of Digital Evidence: Digital forensic investigators use this tool to capture and
preserve web pages as they appeared at a specific point in time. This is essential for maintaining
the integrity of digital evidence.
 Investigation of Cybercrimes: Web pages often contain vital evidence related to cybercrimes,
such as phishing attacks, hacking, or online harassment. Investigators can use MAGNET Web
Page Saver to collect this evidence for analysis and legal purposes.
 E-Discovery: In legal cases, preserved web pages can be used as evidence, especially in e-
discovery. MAGNET Web Page Saver ensures that web page content and metadata are preserved
accurately and forensically sound.
 Incident Response: During incident response, digital forensics teams can use MAGNET Web
Page Saver to capture web pages that are relevant to security incidents, helping to understand the
context and potential threats.

37
 Experiment 6:
AIM: Install Volatility on your system and Write installation steps with screenshots in your practical
report. Discuss and demonstrate the functionalities of this tool.

Competency and Practical Skills: To demonstrate the installation and use of available software tools.

Relevant CO: CO4

Objectives: To learn how software tools are used in forensic to recover artifacts from the device,
network, file system, and registry etc.

Equipment/Instruments: computer system, software tool.

 Description: - Volatility is a widely used open-source framework for memory forensics, designed to
analyze the volatile memory (RAM) of a computer system. It provides a suite of tools and plugins that
enable forensic investigators, incident responders, and security professionals to extract valuable
information from memory dumps.

 Installation Steps for Volatility:

 Prerequisites: Ensure you have Python installed on your system. Volatility is a Python-based tool, and it
requires Python 2.7 or 3.6+.

 Download Volatility: Go to Volatility GitHub repository: https://github.com/volatilityfoundation/volatility

Click the "Code" button and select "Download ZIP" to download the latest version of Volatility.

 Extract the ZIP File: After the download is complete, extract the contents of the ZIP file to a directory
of your choice.

 Install Dependencies: Open a command prompt or terminal and navigate to the directory where
you extracted the Volatility files.

 Install Volatility: Run the following command to install Volatility using setup.py: python setup.py
install

 Verify the Installation: To verify that the installation was successful, open a command prompt or
terminal and type: volatility -h

 Functionalities of Volatility: Volatility is a versatile memory forensics tool with various functionalities
used in digital forensics investigations:

3
 Memory Analysis: Volatility can analyze memory dumps acquired from live systems or hibernation
files. It helps to recover information from volatile memory, including running processes, network
connections, and loaded drivers.
 Process Analysis: It can identify and extract information about running processes, such as process
IDs, command-line arguments, and loaded modules.
 Network Analysis: Volatility can reveal network connections, open ports, and network activity from
the memory dump, assisting in investigating network-based attacks.
 File Analysis: It can locate and extract files from memory dumps, which can be useful for identifying
malicious or sensitive files.
 Registry Analysis: Volatility can parse and extract information from the Windows Registry, revealing
configuration data, user profiles, and system settings.
 Plugin Support: Volatility has a rich ecosystem of plugins that extend its capabilities. These plugins
can be used to perform specific analysis tasks, such as malware detection or rootkit identification.

3
 Use of Volatility:

Volatility is widely used in digital forensics and incident response for the following purposes:

 Memory Analysis: Volatility helps investigators examine the contents of a computer's memory to
detect and analyze malicious activity, uncover evidence of security incidents, and identify
compromised systems.
 Malware Analysis: It is a key tool for dissecting and understanding memory-resident malware,
including identifying malicious code injected into legitimate processes.
 Incident Response: During incident response, Volatility allows responders to rapidly collect data from
memory to assess the scope and impact of a security incident.
 Forensic Investigations: Digital forensic experts rely on Volatility to analyze memory dumps in
criminal investigations, intellectual property theft cases, and other forensic scenarios.

4
Experiment 7:
AIM: Computer Operating system Artifacts Finding deleted data, hibernating files, examining window
registry, recycle bin operation, understanding of metadata, Restore points and shadow copies.

Competency and Practical Skills: To demonstrate the finding and locating various sources of artifact in
computer system.

Relevant CO: CO4

Objectives: To learn how to locate various computer system artifacts for finding useful hidden data from
computer system

Equipment/Instruments: computer system, Operating system.

 Finding deleted data:-

 Deleted data can often be recovered using specialized data recovery software or forensic tools.
When files are deleted from a computer, they are usually not immediately removed from the storage
device. Instead, the file system marks the space as available for reuse.
 To recover deleted data, these tools search for file remnants or clusters of data that haven't been
overwritten by new files. They can often restore files or fragments of files.
 TestDisk software is used to finding deleted data. TestDisk is an open-source data recovery utility
that can recover lost partitions and make non-booting disks bootable again. It is a powerful tool for
advanced users and is available for Windows, Linux, and macOS.

4
 Hibernating files :-

 Hibernating files typically refer to data saved when a computer enters hibernation mode. This data is
usually stored in a hibernation file (hiberfil.sys) on Windows systems.
 Hibernation files contain the contents of RAM at the point of hibernation, allowing the computer to
resume its state when powered on. They can be useful for forensic analysis to understand the system's
state at the time of hibernation.
 Finding hibernating files, especially on Windows systems, typically involves analyzing the
hiberfil.sys file. This file contains the data that was saved when the computer entered hibernation
mode. To examine hibernating files, you can use various forensic analysis tools. One commonly used
tool for this purpose is Volatility.

 Examining window registry: -

 The Windows Registry is a hierarchical database that stores configuration settings and options
for the Windows operating system and installed applications.
 Forensic analysts examine the registry to find information about user accounts, installed
software, system settings, and recent activities. It can provide insights into system changes and
user behavior.
 There are several tools available for examining the Windows Registry in a forensic context.
These tools help digital forensic analysts access and analyze the information stored in the
Windows Registry. Some popular tools include:

 Regedit: This is the built-in Windows Registry Editor. While it's not a dedicated forensic tool,
it can be used to view and edit registry entries. It's typically installed on all Windows
systems.
 Regedt32: Another built-in tool, Regedt32 provides a more advanced interface for working
with the registry. It is available on some versions of Windows and offers more capabilities
than Regedit.

4
 Recycle bin operation :-

 The Recycle Bin is a temporary storage location for deleted files on Windows. When files are
deleted, they are moved to the Recycle Bin rather than being immediately removed.
 Forensically, examining the Recycle Bin can reveal what files were recently deleted, when they
were deleted, and potentially recover some deleted files if they haven't been permanently deleted
from the Recycle Bin.
 There are several tools available for performing operations related to the Windows Recycle Bin.
These tools can help recover deleted files from the Recycle Bin, permanently delete files, or analyze
the contents of the Recycle Bin. Here are a few notable ones: Recuva is a popular and user-friendly
data recovery tool developed by CCleaner. It can be used to recover deleted files from the Recycle
Bin, as well as from various storage devices. Recuva has a straightforward interface and is effective
in recovering lost data.

4
 understanding of metadata :-

 Metadata is data that describes other data. It includes information about files such as creation and
modification dates, file size, author, and more.
 In forensics, metadata analysis can reveal valuable information about files, their origins, and their
history. This can help establish timelines and associations in an investigation.
 Understanding metadata can be vital in digital forensics and data analysis. Several tools are available
to help examine and extract metadata from various file types. Here are some popular tools for
understanding metadata: ExifTool is a versatile and powerful command-line tool for reading, writing,
and editing metadata in a wide range of file formats, including images, audio, video, and documents.
It is a popular choice for extracting EXIF metadata from images.

 Restore Points:

 Restore points are snapshots of the Windows system and settings taken at specific moments in time.
They are used for system recovery and can be accessed through the System Restore feature.
 Forensically, restore points can be valuable for understanding the system's state at various points in
time, which can be helpful in investigations involving system changes or malware infections.
 Restoring Windows Restore Points typically involves using built-in Windows tools. Here's how to
access and use these tools: System Restore is the primary tool for restoring your computer to an
earlier state using restore points. To access it:
 On Windows 10 and 11: Type "Create a restore point" in the search bar, and then click on the
"System Restore" button in the System Properties window.

44
 Shadow Copies:

 Shadow Copies, also known as Volume Shadow Copies, are snapshots of files and folders on
Windows systems. They allow users to recover previous versions of files.
 In digital forensics, shadow copies can provide a way to access historical versions of files, which can
be critical for investigations involving data tampering or file changes.
 To work with Shadow Copies on a Windows system, you can use the "Shadow Copy" feature and
various built-in tools and commands. Here are some commonly used tools and methods for working
with Shadow Copies:
 Previous Versions (File History): This feature is built into Windows and allows you to access
previous versions of files and folders using the "Previous Versions" tab in file or folder properties. It
is a user- friendly way to restore files from Shadow Copies.

45
46
Experiment 8:
AIM: Demonstrate COFEE Tool

Competency and Practical Skills: To demonstrate the installation and use of available software tools.

Relevant CO: CO4

Objectives: To learn how Microsoft based product COFEE tool helps computer forensic
investigators extract evidence from a Windows computer.

Equipment/Instruments: computer system, software tool.

 Installation Step:

Step-1 – Download the Software form the website :-

https://www.afterdawn.com/software/system_tools/misc_system_tools/coffee.cfm

Step 2 – Execute the Installation Program “COFEE v1.1.2 Installer.msi.”

Step 3 – A setup wizard is displayed. Click “Next” to continue.

47
Step 4 – The COFEE License Agreement is displayed. Read the agreement carefully, select “I Agree,” and
click “Next” to continue.

Step 5 – Select the folder in which to install COFEE. By default, the programs will be installed to “C:\
Program Files\COFEE v1.1\.” The “Disk Cost” button will display the amount of space the COFEE
installation will take up on the investigator’s computer based upon the installation folder selected. After
selecting the installation folder, click “Next” to continue.

48
 Step 6 – Click “Next” to continue.

Step 7 – Wait for the installation to finish.

49
 Step 8 – Installation Complete. Click “Close” to exit.

COFEE will install a shortcut on the investigator’s desktop, as well as create a program group under the
start menu. Either can be used to start COFEE.

 Why Use COFEE?

 In COFEE, the GUI interface is used for the preparation of the forensics tools and the assigning of
the digital forensics’ execution order. According to live forensics guidelines, investigators should
take into account the order of evidence volatility, while having minimal interaction with the target
machine.

 COFEE has been designed to provide the investigator the ability to collect evidence from a target
system with the minimum of user interaction. After the GUI interface generates a COFEE USB
device (copies all scripts and programs), the investigator can take the device and easily insert it
onto a target machine, and begin the collection process by executing a single program.

 While specific programs have been selected as part of the included profiles, COFEE allows a
seasoned investigator to add or remove any program they desire, as well as create any profile to
meet their specific investigative needs.

50
 Experiment 9:
AIM: Comparison of two files for forensics investigation by Compare IT software.

Competency and Practical Skills: To demonstrate the installation and use of available software tools.

Relevant CO: CO4

Objectives: learn how Compare IT tool is used to compares and identifies the differences between two
files.

Equipment/Instruments: computer system, software tool (Compare IT), Data files.

 Compare IT is a software that displays 2 files side by side, with colored differences sections to
simplify analyzing. You can move changes between files with a single mouse click or keystroke, and
of course, you have the ability to edit files directly in comparison window. It can make colored
printout of differences report, exactly as it’s on the screen

 First of all, install the Compare It from the Link given below http://www.grigsoft.com/wincmp3.htm
it is a 1.7 Mb Software package Click on Compare It Tool, It will show a window to select the files to
be compared. First, select the first file and click on open and then select the second file and click on
open.

Now it will show us the changes in the highlighted bar.

51
It also gives you Print report of the difference in the file as follows
 52

Another Example of File Comparing.

Experiment 10:
AIM: Forensic image of the hard drive using EnCase Forensics.

Competency and Practical Skills: To demonstrate the installation and use of available software tools.

Relevant CO: CO4

Objectives: learn how to create bit stream of computer storage device and recovers data from the
computer system.

Equipment/Instruments: computer system, software tool.

In this experiment we require the AccessData FTK Imager tools.

 Installation Step:

Step-1: Go to the https://accessdata-ftk-imager.software.informer.com/download/ website.

Step-2: Download the tool Zip file form the website.
Step-3: Install the tool on your step.
Step-4: After Successful installation go to create the Disk Image.

Step-5: Click on the Contents of a Folder.

5
Step-6: Upload the image to create Forensic image

Step-7: Go to the Add.. And write the Case number, Evidence Number, Unique Description, Examiner,
and Notes.

5
 Step-8: Write
the Image
Destination folder
and
filename and
Click on the Finish
button.

After completion of this

steps Go to Add Evidence Item.
And Select the Input Image and
Forensic image file.

 Input Image :

5
 Output Forensic
image: